Of all the threats that pharmaceutical businesses face, the one truly global threat affecting the whole sector, in common with many others, is cyber-attack. Barely a week passes without a press report of a cyber-attack. 2015 saw reports of attacks on a range of targets; Ashley Madison, Carphone Warehouse, the German Parliament and TalkTalk among many others. There is no sign of this changing in 2016.
There have been reports of specific attacks on companies in the pharma sector, notably in a survey by Crown Records Management in 2015, which found that almost two-thirds of pharma companies have suffered serious data breaches and a quarter have been hacked. In 2014, FireEye reported having identified a group that were targeting pharma companies for access to market sensitive data.
Threats come from a variety of sources. The motivation may be theft of money or information, seeking access to third party data, or it may be idealistic. The attackers may be criminals, hacktivists who disapprove of a business’ activity, nation states or they could be closer to home. Employees moving to new jobs or those disgruntled with their employer can steal important data and pass it to competitors, or leave a ‘back door’ open exposing the business to attack. Innocent employees may simply fall victim to a scam or act carelessly.
Governments are taking the threat seriously. The UK government has classified cyber-attacks as a tier 1 threat to the country alongside terrorism, military crises and natural hazards. At a pan-European level the EU Network and Information Security Directive will impose reporting duties on operators of critical services in energy, transport, health and banking, among others and will require Computer Security Incident Response Teams in each member state to discuss cross-border security incidents and identify coordinated responses.
The risks and implications of a successful attack on a business are significant. Some of the most obvious examples include data breach where sensitive information is lost, leaked, stolen or damaged. This can give rise not only to claims for damages against the business but to regulatory interest and, potentially, fines and rectification costs. Inadvertent transmission of malware causing damage to a third party can give rise to claims for damages. In addition to damages claims and fines, the internal costs to a business of dealing with the aftermath of an attack include not only management time and rectification costs (for example in reconstituting a database) but also the reputational damage that may arise. The costs to businesses vary depending on the nature of the data breach and the size of the business. TalkTalk announced in February 2016 that the cost of the cyber-attack it suffered in October 2015 was £60m. Directors could be vulnerable to action by shareholders if they do not take reasonable steps to protect the business from cyber-attack.
Almost two-thirds of pharma companies have suffered serious data breaches and a quarter have been hacked
Personal data
A business which fails to take steps may unwittingly find itself in breach of the current EU directive applicable to personal data (known as Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) (‘the Directive’). In addition to dealing with the immediate fallout of the attack, the business could also face claims for damages from data subjects, an investigation monetary fine/penalty dependent upon the local implementation of the Directive and prosecution in the local courts or claims for breach of contract and confidentiality and breach of duty.
Moving forward under the proposed draft EU General Data Protection Regulation (‘Regulation’), mandatory breach notification may well be introduced and fines for breaches of the Regulations are likely to be up to €20m or 4% of annual worldwide turnover in the previous year, whichever is higher. For breaches of more minor provisions of the Regulation, the maximum fine is the greater of 2% of annual worldwide turnover or €10m. This represents a massive increase in monetary implications for businesses when the Regulation is introduced (likely to be by the end of 2018).
The move from the Directive to the Regulation will see a different approach. The new regime will impose greater burdens on both data controllers and processors. The aim of the Regulation is to have a direct effect in each member state rather than allowing member states flexibility on implementation thus leading to harmonisation. As part of a drive for greater accountability, public bodies and businesses processing sensitive data on a large scale or engaged in systematic monitoring on a large scale (whether data controllers or data processors), will be required to appoint data protection officers. The aim is also to have a one-stop shop in the case of enforcement so that in the case of cross-border processing, data controllers and data processors will normally only have to deal with the Regulator in the country of their single or ‘main’ establishment (a concept which is defined in the Regulation).
Rather than the current regime of notification and registration, businesses will need to implement more focused auditing and risk assessment procedures and ensure appropriate policies are in place. The Regulation will apply a wider definition of ‘personal data’ including new concepts of ‘pseudonymised data’, ‘genetic data’ and ‘biometric data’ (for example fingerprint data) and ‘health’ data. This, together with the mandatory breach notifications and larger fines, will have a direct and regulatory impact on pharmaceutical companies as well as those in the R&D sphere and the supply chain.
A new political agreement to create a new legal structure called the EU-US Privacy Shield is being negotiated
Privacy Shield and safe harbour
The Directive requires that personal data can only be transferred outside the EEA to a territory granting adequate protections in respect of the freedoms and rights of individuals (unless certain exceptions apply such as obtaining consent, or using EU commission-approved standard transfer clauses). Generally the draft Regulation will not change this approach. One method of seeking to meet the adequacy requirement when transferring personal data to the US (which is not an approved country granting adequate protections) is to transfer either with consent or to businesses that have signed up to the US safe harbour (previously approved by the EU Commission as meeting the adequacy test). Following the decision in the Schrems case last year (which was concerned with US Department of Justice access to personal data), the Court of Justice of the EU found the US safe harbour decision on adequacy of safe harbour invalid. In order to address this, the EU Commission recently announced that a new political agreement to create a new legal structure for transferring personal data from the EU to the US, called the EU-US Privacy Shield, is being negotiated. Many organisations will be hopeful that the Privacy Shield will be implemented speedily, to get the transatlantic flow of personal data back up and running using this method instead of relying on other, more cumbersome means.
Prevention
Businesses must take reasonable steps to protect themselves from the risks of cyber-attack. They need to identify areas of weakness in their business and infrastructure. They should put in place appropriate policies and standards, procedures and training for staff, and review business arrangements, contracts and insurance policies. There should be a response plan in place setting out the practical steps that will need to be taken in the wake of an attack. Consideration should be given to how a later investigation will be handled, bearing in mind that if investigations are conducted under legal privilege, this could protect the business from having to disclose potentially damaging material in later litigation.
As part of its planning a business will need to review existing insurance policies to see if they might respond to a cyber-attack event. Consideration should be given to putting in place appropriate insurance if necessary. While a cyber-policy is unlikely to indemnify against all losses, it can provide valuable cover but be careful to check the policy scope and exclusions.
Putting in place a plan to protect from and respond to an attack is part of the solution but in itself it is not enough. That plan needs to be constantly re-evaluated to ensure continuing fitness for purpose. As part of this process businesses will need to keep up to date with new regulatory requirements and the changing legal framework.
